| You are right - there’s no urgency in PQ signatures.
However, PQ KEM keys aren’t small. And, as I said, für austere links every unnecessary byte of crap hurts.
Also, sending root certs seems (marginally) useful only when the recipient is a Web browser. And even then I assume most of the IT people would want to block the ability of a “mere” user to add an “unblessed” trusted root. On Mar 31, 2021, at 14:15, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
On Mar 31, 2021, at 2:01 PM, Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx> wrote:
For a Web GUI with the user at the console (e.g., a Web browser), it might be OK.
For my needs (devices talking to each other over austere links), sending the root CA very is both useless and wasteful. One you factor in the sizes of Post-Quantum keys and signatures - you’ll start disliking this idea even more.
There's no urgency in post-quantum keys for CA signatures in TLS. Theirfuture weakness does not compromise today's traffic. Until actual scalableQCs start cracking RSA and ECDSA in near real-time only the ephemeral keyagreement algorithm needs to be PQ-resistant now to future-proof sessionconfidentiality.So certificates can continue to use RSA and ECDSA for quite some time.-- Viktor.
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
